Backup, re-install Ubuntu with full disk encryption, and restore all files and settings

When doing serious work like surfing the internet, writing, or programming, I like to do so from a single user interface regardless of whether I’m at work or home. Currently, this takes the form of a Linux laptop (Ubuntu) due to portability (laptop), power (Linux/Ubuntu), and the availability of a keyboard and touchpad (fast input).

I’ve always wanted to encrypt my laptop for privacy reasons. However, I dread the thought of a fresh OS re-install on my laptop because I would have to restore all the programs I use and the customizations I’ve configured. Sure, there are benefits to doing a fresh install like getting rid of unused programs and restoring only customizations that I truly use (I will definitely feel it if something I use is missing) to yield a less cluttered system. However, I after doing this a few times in the pass, I really don’t want to have to do it again since I don’t have any major issues with my current OS.

What I would like to do is backup my entire OS and files, re-install Ubuntu with full disk encryption, and restore the entire OS. That is, I would like the exact OS but with full disk encryption added. After some research, I found this post that describes how to perform a system backup and restore. I wondered whether the same procedure would work while following these instructions for full disk encryption during the OS installation phase. I asked on SuperUser and it appears to be fairly safe. Sources of possible complications might stem from /etc/fstab, /boot/, grub, and, as I’ll later find out, /etc/crypttab (fstab‘s equivalent for encrypted disks). I’ll now outline my attempt.

Backup

I backed up my entire system onto two external hard drives that were encrypted, just in case something wrong happened to one of the backup file.

Kromey on SuperUser recommended that I also excluded /boot because I’m adding encryption. Hence, I should use the new /boot directory. Also, he mentioned I should also exclude /dev, which makes sense to me. However, the original post mentioned that there is debate about whether to include /dev or not. I opted to back up both /boot and /dev in separate files just in case I’ll need them later.

I backed up my system to two usb drive and set up encryption on a third disk simultaneously on a 2.2 GHz dual-core laptop. The backup of 350 GB of data took about 12 hours. This length of time might have stemmed from doing multiple backups at the same time and/or from compressing the data. If not constrained by space, I would recommend not compressing the tar file (removing the -z argument) to speed up the process.

To fail-safe my attempt and have a point where I could return to my old system if things did not work, I went ahead and made an image backup of the entire disk using dd. However, this HAS to be done while the disk is unmounted. I booted the Ubuntu 11.04 Installation Disk using a USB drive to “preview” Ubuntu. Once there, I did:

People discussing in the comments here recommended Clonezilla for the image backup to make sure things are fail-safe. I wanted to finish with this project fast so I didn’t use it. If I were to re-do this again somehow, I would probably ditch dd for Clonezilla.

I also backed up my list of packages and repositories just in case I can only restore /home (my files) and /etc (my configurations). This way, I will only use programs I compiled from source.

Encryption

Followed these instructions for encryption while installing Ubuntu 11.04 Alternate. I did so from a USB boot disk created from unetbootin. Like before, I did not create a different volume for /home so it can be stored in /.

Boot up OS

When booting up, I get a blank screen with a blinking cursor. I think this is a known bug for Ubuntu 11.04 (possibly for 10.10 as well). It appears to be an issue with grub. I plugged in my USB drive to boot into Ubuntu preview and surprisingly, I get either a grub menu or a blank screen. I knew there were issues with encrypted LVM and Ubuntu 11.04 before. I tried Ctrl-Alt-F1 Ctrl-Alt-F7 and indeed, I saw the passphrase screen. I entered it and went back to TTY1 (Ctrl-Alt-F1) and logged into terminal console.

Restore

Now, I figured these issues out after having several things break. I’ll describe the solutions first and then describe how I debugged the issues.

This didn’t work and gave me a resolution that did not match the screen (image too big for screen; mouse down and up to see different parts of screen). I had to remove that option and updated grub.

I haven’t figured out how to fix grub. Some resources that I hope to lead me to the right solution: this and this.

Originally, I did not have to modify /etc/crypttab (copy the new one back) for the OS to boot. However, I wanted to make sure that everything is good in /boot (all the new init stuff, eg, encryption, and all the old init stuff, ie, what I restored) by running

sudo update-initramfs -u

(I did this because I know in the future, initramfs might be updated so I wanted to make sure I’m error free right now.)

After doing so, when booting with the USB stick plugged in, I was not asked for passphrase. The BusyBox shell appeared. Something was broken. To have a successful boot again, I had to restore /boot according to boot.new.tgz. I remember when I ran update-initramfs, I saw these messages:

After browsing the diff output, I noticed many files were identical, and many files were different. However, looking at those that were different, they don’t seem to be that important. I did notice /etc/crypttab, one being empty, and the other having something like

sdb5_crypt UUID=731a44c4-4655-4f2b-ae1a-2e3e6a14f2ef none luks

I copied the new crypttab file to /etc/crypttab.

Actually, I originally didn’t even backup my crypttab file. Thanks to the recursive diff, I was able to figure out what I needed to enter into the file (I used server’s /etc/crypttab as a reference and this to find out what needs to be inputted). After restoring the file’s content, I was able to see a screen asking for a passphrase again.

UPDATE: Fix Grub

The odd thing about my grub issue is that the system boots up when the original usb drive I used to install is plugged in and is booted. That is, it will go to grub but not the unetbootin menu that allows me to install ubuntu for preview, etc. I tried plugging in another USB boot disk and it did indeed give me the installation menu. It finally came to my mind that during my installation process, Ubuntu asked me to install Grub into the Master Boot Record (MBR) of the disk and I just accepted blindly. During that time, sda refers to the usb drive and sdb refers to my main disk. It might be the case that grub was not installed into the MBR of my disk.

The original backup post did mention about restoring Grub. I attempted these instructions but it did not work for me. It said something like /boot/grub/stage1 was not found. After perusing and trying different methods for reinstalling Grub or getting it installed on the MBR, the Boot-Repair finally worked for me. Boot into my Ubuntu system (with usb drive plugged in to successfully boot). Then remove USB drive. I then did:

Launch boot-repair. After the scan I chose “Advanced”. I re-installed Grub according to this:

Re-install Grub

Unhide Boot Menu for 10 seconds

Create BootInfo file

Separate /boot partition: sda1

Force GRUB into sda

Then “Apply”. Afterwards, my system did boot successfully without the USB drive plugged in. If it didn’t, maybe try another run of Boot-Repair but now, “Restore MBR” (I did this prior to re-installing GRUB).